US12395468B2ActiveUtilityA1

Technique for eliminating ingress-proxy in the multi-relay approach for privacy

61
Assignee: CISCO TECH INCPriority: Jul 29, 2022Filed: Dec 23, 2022Granted: Aug 19, 2025
Est. expiryJul 29, 2042(~16.1 yrs left)· nominal 20-yr term from priority
H04L 63/166H04L 63/0435H04L 63/0414
61
PatentIndex Score
0
Cited by
7
References
20
Claims

Abstract

In one aspect, a method of IP obfuscation of a user device includes receiving, over an Extendible Authentication Protocol (EAP) session between a user device and a network access point, location preferences of the user device, generating, based on the location preferences or a network policy, a geohash for the user device, identifying, for the user device, an IP anchor, sending, over the EAP session, the geohash to the user device, and receiving, from the user device, network traffic, wherein the network access point utilizes the geohash and the IP anchor to route the network traffic for the user device and obfuscate IP address of the user device from third-party access.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A method of IP obfuscation of a user device, comprising:
 receiving, over an Extendible Authentication Protocol (EAP) session between a user device and a network access point, location preferences of the user device; 
 generating, based on the location preferences or a network policy, a geohash for the user device; 
 identifying, for the user device, an IP anchor; 
 sending, over the EAP session, the geohash to the user device; and 
 receiving, from the user device, a set of data for exchange between the user device and a destination point, wherein the network access point utilizes the geohash and the IP anchor to route the set of data for the user device and obfuscate IP address of the user device from third-party access. 
 
     
     
       2. The method of  claim 1 , further comprising:
 establishing a first Quick UDP Internet Connection (QUIC) session between the user device and an egress proxy, wherein the network access point provides a randomized IP address representative of the user device to the egress proxy associated with the geohash; 
 sending, over the connection between the user device and the egress proxy, a single connection request including an IP address of a destination, the egress proxy establishing one of a Transmission Control Protocol (TCP) session or a User Datagram Protocol (UDP) session between the egress proxy and the destination; and 
 establishing a second QUIC session between the user device and the destination through the egress proxy. 
 
     
     
       3. The method of  claim 2 , further comprising:
 facilitating, over the second QUIC session between the user device and the destination through the egress proxy, transmission of the set of data between the user device and the destination through the network access point and the egress proxy using the geohash and the IP anchor. 
 
     
     
       4. The method of  claim 1 , wherein the user device connects to the network access point using one of a 3GPP access or an IEEE 802.11-based access to the network access point, and wherein the location preferences are included in a NAS signaling for the 3GPP access or in an 802.11 link layer protocol for the IEEE 802.11-based access. 
     
     
       5. The method of  claim 1 , further comprising:
 digitally signing the geohash and a Network Access Translation (NAT) translated IP address of the user device using a public key. 
 
     
     
       6. The method of  claim 1 , wherein identifying the IP anchor is based on a location of the user device. 
     
     
       7. The method of  claim 1 , wherein the network access point and the IP anchor do not have visibility into the IP address of a destination to which the set of data is being sent or received from. 
     
     
       8. A network access point, comprising:
 one or more memories having computer-readable instructions stored therein; and 
 one or more processors configured to execute the computer-readable instructions to:
 receive, over an Extendible Authentication Protocol (EAP) session and from a user device, location preferences of the user device; 
 generate, based on the location preferences or a network policy, a geohash for the user device; 
 identify, for the user device, an IP anchor; 
 send, over the EAP session, the geohash to the user device; and 
 receive, from the user device, a set of data for exchange between the user device and a destination point, wherein the network access point is configured to utilize the geohash and the IP anchor to route the set of data for the user device and obfuscate IP address of the user device from third-party access. 
 
 
     
     
       9. The network access point of  claim 8 , wherein the one or more processors are configured to execute the computer-readable instructions to:
 establish a first Quick UDP Internet Connection (QUIC) session between the user device and an egress proxy, wherein the network access point provides a randomized IP address representative of the user device to the egress proxy associated with the geohash; 
 send, over the connection between the user device and the egress proxy, a single connection request including an IP address of a destination, the egress proxy establishing one of a Transmission Control Protocol (TCP) session or a User Datagram Protocol (UDP) session between the egress proxy and the destination; and 
 establish a second QUIC session between the user device and the destination through the egress proxy. 
 
     
     
       10. The network access point of  claim 9 , wherein the one or more processors are configured to execute the computer-readable instructions to facilitate, over the second QUIC session between the user device and the destination through the egress proxy, transmission of the set of data between the user device and the destination through the network access point and the egress proxy using the geohash and the IP anchor. 
     
     
       11. The network access point of  claim 8 , wherein the user device is configured to connect to the network access point using one of a 3GPP access or an IEEE 802.11-based access to the network access point, and wherein the location preferences are included in a NAS signaling for the 3GPP access or in an 802.11 link layer protocol for the IEEE 802.11-based access. 
     
     
       12. The network access point of  claim 8 , wherein the one or more processors are configured to execute the computer-readable instructions to digitally sign the geohash and a Network Access Translation (NAT) translated IP address of the user device using a public key. 
     
     
       13. The network access point of  claim 8 , wherein identifying the IP anchor is based on a location of the user device. 
     
     
       14. The network access point of  claim 8 , wherein the network access point and the IP anchor do not have visibility into the IP address of a destination to which the set of data is being sent or received from. 
     
     
       15. One or more non-transitory computer-readable media comprising computer-readable instructions, which when executed by one or more processors of a network access point, cause the network access point to:
 receive, over an Extendible Authentication Protocol (EAP) session and from a user device, location preferences of the user device; 
 generate, based on the location preferences or a network policy, a geohash for the user device; 
 identify, for the user device, an IP anchor; 
 send, over the EAP session, the geohash to the user device; and 
 receive, from the user device, a set of data for exchange between the user device and a destination point, wherein the network access point is configured to utilize the geohash and the IP anchor to route the set of data for the user device and obfuscate IP address of the user device from third-party access. 
 
     
     
       16. The one or more non-transitory computer-readable media of  claim 15 , wherein the execution of the computer-readable instructions further cause the network access point to:
 establish a first Quick UDP Internet Connection (QUIC) session between the user device and an egress proxy, wherein the network access point provides a randomized IP address representative of the user device to the egress proxy associated with the geohash; 
 send, over the connection between the user device and the egress proxy, a single connection request including an IP address of a destination, the egress proxy establishing one of a Transmission Control Protocol (TCP) session or a User Datagram Protocol (UDP) session between the egress proxy and the destination; and 
 establish a second QUIC session between the user device and the destination through the egress proxy. 
 
     
     
       17. The one or more non-transitory computer-readable media of  claim 16 , wherein the execution of the computer-readable instructions further cause the network access point to facilitate, over the second QUIC session between the user device and the destination through the egress proxy, transmission of the set of data between the user device and the destination through the network access point and the egress proxy using the geohash and the IP anchor. 
     
     
       18. The one or more non-transitory computer-readable media of  claim 15 , wherein the user device is configured to connect to the network access point using one of a 3GPP access or an IEEE 802.11-based access to the network access point, and wherein the location preferences are included in a NAS signaling for the 3GPP access or in an 802.11 link layer protocol for the IEEE 802.11-based access. 
     
     
       19. The one or more non-transitory computer-readable media of  claim 15 , wherein the execution of the computer-readable instructions further cause the network access point to digitally sign the geohash and a Network Access Translation (NAT) translated IP address of the user device using a public key. 
     
     
       20. The one or more non-transitory computer-readable media of  claim 15 , wherein the network access point and the IP anchor do not have visibility into the IP address of a destination to which the set of data is being sent or received from.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.